From f9170607f2b43234968622cec3c38de6528268ed Mon Sep 17 00:00:00 2001
From: "daniel.radl" <daniel.radl@amr.at>
Date: Tue, 1 Jul 2025 16:16:53 +0200
Subject: [PATCH] Added overrider to use docker secrets for mariadb password

---
 docs/environment-variables.md         |  4 ++++
 example.env                           |  3 +++
 overrides/compose.mariadb-secrets.yml | 12 ++++++++++++
 overrides/compose.mariadb.yaml        |  4 ++--
 4 files changed, 21 insertions(+), 2 deletions(-)
 create mode 100644 overrides/compose.mariadb-secrets.yml

diff --git a/docs/environment-variables.md b/docs/environment-variables.md
index b1a44d9f..616b06fa 100644
--- a/docs/environment-variables.md
+++ b/docs/environment-variables.md
@@ -25,6 +25,10 @@ Frappe framework release. You can find all releases [here](https://github.com/fr
 
 Password for MariaDB (or Postgres) database.
 
+### `DB_PASSWORD_SECRETS_FILE`
+
+Path to the db_password.txt file. Set only if you use docker secrets for the database password (use `overrides/compose.mariadb-secrets.yaml`)
+
 ### `DB_HOST`
 
 Hostname for MariaDB (or Postgres) database. Set only if external service for database is used or the container can not be reached by its service name (db) by other containers.
diff --git a/example.env b/example.env
index cb24c103..7634cdf3 100644
--- a/example.env
+++ b/example.env
@@ -4,6 +4,9 @@ ERPNEXT_VERSION=v15.67.0
 
 DB_PASSWORD=123
 
+#Only if you use docker secrets for the db password
+DB_PASSWORD_SECRETS_FILE=
+
 # Only if you use external database
 DB_HOST=
 DB_PORT=
diff --git a/overrides/compose.mariadb-secrets.yml b/overrides/compose.mariadb-secrets.yml
new file mode 100644
index 00000000..00ffe2dc
--- /dev/null
+++ b/overrides/compose.mariadb-secrets.yml
@@ -0,0 +1,12 @@
+services:
+  db:
+    environment:
+      - MYSQL_ROOT_PASSWORD: /run/secrets/db_password
+    healthcheck:
+      test: mysqladmin ping -h localhost --password="$(cat /run/secrets/db_password)"
+    secrets:
+      - db_password
+
+secrets:
+  db_password:
+    file: ${DB_PASSWORD_SECRETS_FILE:?No db secret file set}
diff --git a/overrides/compose.mariadb.yaml b/overrides/compose.mariadb.yaml
index 1d6e55c6..ebce5038 100644
--- a/overrides/compose.mariadb.yaml
+++ b/overrides/compose.mariadb.yaml
@@ -10,7 +10,7 @@ services:
   db:
     image: mariadb:10.6
     healthcheck:
-      test: mysqladmin ping -h localhost --password=${DB_PASSWORD}
+      test: mysqladmin ping -h localhost --password=${DB_PASSWORD:-123}
       interval: 1s
       retries: 20
     restart: unless-stopped
@@ -20,7 +20,7 @@ services:
       - --skip-character-set-client-handshake
       - --skip-innodb-read-only-compressed # Temporary fix for MariaDB 10.6
     environment:
-      MYSQL_ROOT_PASSWORD: ${DB_PASSWORD:?No db password set}
+      MYSQL_ROOT_PASSWORD: ${DB_PASSWORD:-123}
     volumes:
       - db-data:/var/lib/mysql